Allowing ransomware to enter a computer and corrupt a few files before being stomped on is the way to arrest the forward march of an attack, say computer scientists.
The key is to not to stop ransomware getting into the system, which is hard, but to simply identify when files are beginning to be encrypted, assume something’s amiss, and then kill anything that’s causing the anomaly, researchers from the University of Florida (UF) and Villanova University say.
+ Also on Network World: Who is a target for ransomware? Everyone +
Strange behavior from the files is enough to tell the solution something’s wrong. You lose a few files with this inspired method, but the bulk of the data remains intact, they say.
“Attacks are tailored and unique every time they get installed on someone’s system,” says Nolen Scaife, a doctoral student and member of UF’s Florida Institute for Cybersecurity Research, in an article in UF News. That’s why they’re hard to stop with antivirus, which is good at arresting what it knows is bad and can see coming but is not as strong on guessing what the latest incarnation of a malware program is.
Scaife and his team say one should simply forget about trying to second guess malware and its morphing code and instead concentrate on recognizing when malware is performing activity on the computer—the encryption of the files for ransom, in this case.
“Our solution is better than traditional antiviruses,” Scaife says. “If something that’s benign starts to behave maliciously, then what we can do is take action against that based on what we see is happening to your data. So, we can stop, for example, all of your pictures from being encrypted.” The first few are lost, though.
CryptoDrop stops ransomware and saves files
The team says in their paper (PDF) that they can stop ransomware and save most of the files from getting encrypted in the first place.
The researchers call their solution CryptoDrop. It works in conjunction with normal antivirus, and the team is actively looking for commercial partners.
“Using a set of behavior indicators, CryptoDrop can halt a process that appears to be tampering with a large amount of the user’s data,” even if one does lose some of it, they say.
Using CryptoDrop, the “median loss” of files that have gotten encrypted, and are therefore unrecoverable without paying a ransom, is only 10 out of the 5,100 files that the team has been experimenting with.
Ransomware, which can be targeted at businesses as well as individuals, is growing. Individuals can lose family photos, videos and data. Businesses, also lose data, as well money from paying the ransom, but they also risk having their reputations damaged.
Financial loss was only the second most concerning issue, according to a survey I wrote about in February. The respondents were more worried about lost trust from those it did business with.
Data loss, destruction of data, intellectual property theft and data manipulation were all considerations, too.
The FBI estimated losses from such attacks at $24 million last year for individuals and businesses, according to UF News.